This presentation is about what buffer overflows are, what heap overflows are and how they are exploited. Specifically, focus is on how this is used to exploit jpeg images im Microsoft Windows Systems.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Microsoft GDI+ JPEG Integer Underflow Vulnerability
1. Principles Of Secure Coding
JPEG Integer Underflow
Microsoft Security Bulletin MS04-028
Ashish Malik
1731110017
2. Microsoft JPEG Vulnerability
Jpeg's themselves are not the problem however. Problem lies in
the application that reads this information and displays the
pictures on screen.
The exploit triggers an overflow in a common windows
component called the GDI+ Jpeg Decoder.
Vulnerability specifically resides in “gdiplus.dll”.
These attack images are not technically a virus.
Different windows applications frequently distribute their own
versions of GDI+.
3. Buffer Overflow
Application fails to check the size of input data before copying it
to memory.
Two types of buffer overflows :
Stack Overflow
Heap Overflow
Stack and Heap are memory regions used by a process for storing
various types of data.
4. Stack Overflow
When a process makes a function call, the address of the next
instruction, known as the return pointer, or RET is pushed onto
stack.
Function call parameters are pushed on after RET.
Execution then jumps to the address of the called function.
7. Heap Overflow
Region of memory used by a process for accommodating data of
sizes unknown at compile time.
Created within a process's virtual address space.
OS is responsible for heap management.
Malloc() or HeapAlloc()
Standard heap contains an array called Free List, used to track
the locations of free heap blocks.
12. GDI+ Jpeg Vulnerability
Jpeg format defines a no. of headers.
The vulnerability described in MS04-028 lies in how GDI+
handles the comment header.
Each header segment begins with a 2-bytes ID.
Comment header consist of COM marker(0xFFFE)
GDI+ calculates the comment length by 2 from the value of
length field.
13. GDI+ Jpeg Vulnerability
If length field specifies a comment length of 0 or 1, the GDI+
calculation results in a negative value.
1 – 2 = -1 ≡ 0xFFFFFFFF ≡ 4GB - 1
It is interpreted as a positive integer in excess of 4 billion.
Unsigned integer of 32 bit is used to store the length of the
comment data.
14. GDI+ Jpeg Vulnerability
The GDI+ routine for copying the comment data to the heap is :
rep mov [edi], [esi]
The ECX register is used as the counter.
GDI+ allows excessively large counter value.
GDI+ handles access violation by requesting additional heap
space to continue with rep mov
HeapAlloc() returns pointers to heap locations, which contains
the JPEG data.
15. GDI+ Jpeg Vulnerability
The exploit takes advantage of this to overwrite the Unhandled
Exception Filter Pointer.
Exploits may also use some form of win32_reverse shellcode
from of Metasploit Project Shellcode Repository.